The California legislature passed five bills amending the California Consumer Privacy Act (CCPA) that, if signed into law by Governor Gavin Newsom, will provide some degree of relief to the marketing industry.
As we have discussed in previous alerts (see, for example, CCPA Update: Preparing for the CCPA — 10 Things You Can Tackle Now and CCPA Update: California Public Forums and Other Proposed State/Federal Legislation), the CCPA, which was enacted in 2018 and which takes effect on January 1, 2020, provides various rights to consumers, including the right to:
- Know what personal information (PI) a business collects about them;
- Know what PI a business sells about them, including the categories of PI that the business sells and the categories of third parties to whom it sells that information;
- Access the specific pieces of information a business has collected about them;
- Delete information that a business has collected from them;
- Opt-out of the sale of their PI (which is an opt-in if the user is under 16 years of age); and,
- Non-discriminatory treatment.
After the CCPA was enacted, the marketing industry (as well as other businesses) sought amendments to, and clarifications of, the CCPA.
Earlier this year, the California Assembly's Committee on Privacy and Consumer Protection approved a host of bills to amend the CCPA in a variety of ways (see, for example, Blizzard of Bills to Amend Privacy Law Moves Forward in California Assembly).
Some of the changes proposed in those bills have made it through the legislature, while others were dropped. One notable proposal that was not considered is Senate Bill 753, which would have amended the definition of "sell" to exempt certain disclosures of a unique identifier to third parties for advertising purposes. Similarly, Assembly Bill 846, which addressed prohibitions and exceptions on the sale of personal information collected as part of loyalty reward, discount and similar programs, was also removed from consideration.
The Passed Bills
Out of the bills the legislature just passed, some highlights include:
Assembly Bill 25
The bill generally exempts PI collected by a business in certain employment-related contexts from the scope of the CCPA through December 31, 2020. The bill also authorizes businesses to require reasonable authentication of consumers in connection with their requests under CCPA and to require consumers to use their existing accounts to make their requests. However, the business may not require the consumer to create a new account in order to make a request.
Assembly Bill 874
This bill expands the scope of "publicly available" information exempt from the definition of PI by providing that "publicly available" includes information lawfully made available from government records.
The bill also amends the CCPA's definition of PI to make it clear that it does not include deidentified or aggregate consumer information (rather than only deidentified and aggregate consumer information).
In addition, the bill specifies that PI includes information reasonably capable of being associated with a particular consumer or household, as opposed to information capable of being associated with a particular consumer or household.
Assembly Bill 1146
The bill provides that a consumer's right of deletion does not apply if it is necessary for the business or service provider to maintain the consumer's PI to fulfill the terms of a written warranty or recall conducted under federal law. The bill also provides an exemption from a consumer's right to opt-out of the sale of his or her PI for vehicle or ownership information retained or shared between a "new motor vehicle dealer" and the "vehicle's manufacturer" in specified circumstances.
Assembly Bill 1355
This bill broadens the scope and application of the CCPA's Fair Credit Reporting Act exemption, provides that businesses do not have to collect PI they would not otherwise collect in the ordinary course of business or retain PI for longer than it would normally be retained in the ordinary course of business. This bill also temporarily limits the CCPA's application to PI collected in specified business-to-business communications and transactions.
Assembly Bill 1564
This bill provides that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects PI only needs to provide an email address, rather than both a toll free phone number and email address, for submitting requests for information regarding the PI of the consumer collected or disclosed by the business under the CCPA.
With a January 1, 2020 effective date looming, companies have been clamoring for clarity on the CCPA. These five amendments that were just passed by the legislature (assuming that they will be signed into law by the Governor, who has until October 13 to do so) will certainly help, though the industry is still waiting for the California Attorney General to issue implementing regulations, which are expected in the next month or two.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.